Add a SAML Identity Provider

There are two ways that you can add a SAML 2.0 identity provider (IDP) in Oracle Identity Cloud Service:

Oracle Identity Cloud Service provides you with a wizard to add a SAML 2.0 IDP. This wizard contains six panes:
  • Details: Provide a name, description, and icon for the SAML IDP.

  • Configure: Configure SSO for the IDP by either importing metadata for it or entering metadata for it.

  • Map: Map a user's attribute value received from the IDP to a corresponding attribute value for the user in Oracle Identity Cloud Service.

    After providing information in the Map pane of the wizard, Oracle Identity Cloud Service adds and deactivates the IDP. You may want to export metadata for the IDP, test it, or activate it. The wizard has the Export, Test, and Activate panes.

  • Export: Export metadata for Oracle Identity Cloud Service and import this metadata into the IDP. The IDP requires this information to communicate with Oracle Identity Cloud Service for authentication purposes.

    Tip:

    If the IDP doesn't support importing metadata, then the information for Oracle Identity Cloud Service appears in the Export pane. You can enter this metadata into the IDP manually.
  • Test: Test the configuration settings for the IDP to confirm that the IDP is working properly. You can use the credentials of the IDP to log in to Oracle Identity Cloud Service through an external website.

  • Activate: Activate the IDP.

Tip:

Suppose you want a user to use their single sign-on (SSO) credentials to authenticate against Oracle Identity Cloud Service, but you want the user to use the password that's provided by the SAML IDP (instead of their Oracle Identity Cloud Service password). To do this, turn on the Federated switch for the user's account. See Edit Attribute Values for the User Account to learn how to turn on or off this switch.

Oracle Identity Cloud Service also provides you with a wizard to add a social IDP. This wizard contains two panes:

  • Details: Provide a name, description, and icon for the social IDP.

  • Configure: Configure SSO for the IDP by entering metadata for it.

To add an IDP, you must be assigned to either the identity domain administrator role or the security administrator role. See Add or Remove a User Account from an Administrator Role.

Import Metadata for a SAML Identity Provider

You can use Oracle Identity Cloud Service to import metadata for a SAML 2.0 identity provider (IDP).

  1. In the Identity Cloud Service console, expand the Navigation Drawer, click Security, and then click Identity Providers.
  2. Click Add SAML IDP. The Add Identity Provider wizard appears.
  3. Use the following table to populate the Details pane of the wizard, and click Next:
    Task Description
    Name Enter the name of the IDP.
    Description Enter explanatory information about the IDP.
    Icon Click Upload to add an icon that represents the IDP.
  4. Use the following table to populate the Configure pane of the wizard, and click Next:
    Task Description
    Import Identity Provider metadata Click this button because you want to configure SSO for the IDP by importing metadata for it.
    Metadata Click Upload. Select the XML file that contains the metadata for the IDP that you want to import.
    Signature Hashing Algorithm
    From the menu, select the secure hash algorithm used to encrypt the signing certificate for the IDP.
    • By default, select the SHA-256 algorithm.
    • If the IDP doesn't support SHA-256, then select SHA-1.

    Include Signing Certificate

    To include a signing certificate with your IDP, select this check box. The signing certificate is used to verify the signature of the messages for the IDP.

    If you don't want to include a signing certificate with your IDP, then leave the check box deselected.

  5. Use the following table to populate the Map pane of the wizard, and click Next:
    Task Description
    Identity Provider User Attribute

    Select the attribute value received from the IDP that can be used to uniquely identify the user.

    You can specify the user ID or another SAML attribute (such as the user's email address).

    Oracle Identity Cloud Service User Attribute

    Select the attribute in Oracle Identity Cloud Service to which you are mapping the attribute received from the IDP

    You can specify the user name or another Oracle Identity Cloud Service attribute (such as the user's display name, primary or recovery email address, or an external ID). You use the external ID when you want to map the attribute received from the IDP to a special ID that's associated with the provider.

    Requested NameID Format

    Select the format for mapping the user's attribute value in the IDP to the corresponding attribute in Oracle Identity Cloud Service.

    If you don't want to provide a format, then select <None Requested>.

  6. Use the following table to populate or reference the Export pane of the wizard, and click Next:
    Task Description
    Service Provider Metadata

    To export metadata for Oracle Identity Cloud Service, click Download. Then, import this metadata into the IDP.

    If the Federation Partner into which you are importing Identity Cloud Service metadata does CRL validation (for example ADFS does CRL validation) instead of using the metadata exported from this button, download the metadata from: https://[instancename.idcs.internal.oracle.com:port]/fed/v1/metadata?adfsmode=true

    Provider ID

    The Uniform Resource Identifier (URI) that uniquely identifies the identity domain.

    There's a one-to-one relationship between the provider ID and the IDP because the provider ID identifies the IDP uniquely. Because of this relationship, only one IDP can be defined in Oracle Identity Cloud Service with a given provider ID.

    Assertion Consumer Service URL The Uniform Resource Locator (URL) of the service that receives and processes assertions from the IDP
    Logout Service Endpoint URL The URL of the service that receives and processes logout requests from the IDP
    Logout Service Return URL The URL of the service that receives and processes logout responses from the IDP
    Service Provider Signing Certificate To download a signing certificate for the IDP, click Download. Select the file that contains the signing certificate. This certificate is used to verify requests and responses signed by Oracle Identity Cloud Service.
    Service Provider Encryption Certificate To download an encryption certificate for the IDP, click Download. Select the file that contains the encryption certificate. The IDP can use this certificate to encrypt the assertion.

    To get the issuing Oracle Identity Cloud Service root certificate, see Obtain the Root CA Certificate from Oracle Identity Cloud Service.

  7. In the Test pane of the wizard, click Test Login to test the configuration settings for the IDP.
  8. Click Next.
  9. In the Activate pane of the wizard, click Activate to activate the IDP.
  10. Click Finish.

Enter Metadata Manually for a SAML Identity Provider

You can use Oracle Identity Cloud Service to enter metadata for a SAML 2.0 identity provider (IDP).

  1. In the Identity Cloud Service console, expand the Navigation Drawer, click Security, and then click Identity Providers.
  2. Click Add SAML IDP.
  3. Populate the Details pane of the Add Identity Provider wizard and click Next. See Import Metadata for a SAML Identity Provider.
  4. Use the following table to populate the Configure pane of the wizard, and click Next:
    Field Description
    Enter Identity Provider metadata manually Click this button because you want to configure SSO for the IDP by entering metadata for it.
    Issuer ID

    Enter the ID of the issuer that's used to register the signing certificate for the IDP.

    If you upload new metadata for the IDP, then the Issuer ID field will be updated to reflect the new metadata.

    Signing Certificate To upload a signing certificate for the IDP, click Upload. Select the file that contains the signing certificate.
    Encryption Certificate To upload an encryption certificate for the IDP, click Upload. Select the file that contains the encryption certificate.
    SSO Service URL Enter the URL of the SSO authentication service for the IDP. With this service, users can access multiple Oracle Cloud services without having to provide authentication credentials more than once.
    SSO Service Binding
    This menu contains two options for web-based SSO associated with the IDP: Redirect and POST.
    • To send an authentication request with the HTTP-Redirect binding, select Redirect.

    • To transmit the response associated with the request using the HTTP-POST binding, select POST.

    Global Logout Activated

    To activate SAML global logouts between Oracle Identity Cloud Service and the IDP, select this check box. Otherwise, leave the check box deselected.

    If you select the check box, then you must enter values for two URLs for the IDP: logout request and logout response, and specify whether you want Oracle Identity Cloud Service to initiate a logout with a HTTP-Redirect or HTTP-POST binding.

    Logout Request URL Enter the URL of the service that receives and processes logout requests from the IDP.
    Logout Response URL Enter the URL of the service that receives and processes logout responses from the IDP
    Logout Binding
    This menu contains two options to initiate a logout: Redirect and POST.
    • To initiate a logout with the HTTP-Redirect binding, select Redirect.

    • To initiate a logout using the HTTP-POST binding, select POST.

    Signature Hashing Algorithm

    Select the SHA-1 or SHA-256 secure hash algorithm used to encrypt the signing certificate for the IDP.

    See Import Metadata for a SAML Identity Provider.

    Include Signing Certificate

    To include a signing certificate with your IDP, select this check box.

    If you don't want to include a signing certificate with your IDP, then leave the check box deselected.

  5. Populate the Map pane of the Add Identity Provider wizard, and click Next. See Import Metadata for a SAML Identity Provider.
  6. Populate or reference the Export pane of the Add Identity Provider wizard, and click Next. See Import Metadata for a SAML Identity Provider.
  7. In the Test pane of the wizard, click Test Login to test the configuration settings for the IDP.
  8. Click Next.
  9. In the Activate pane of the wizard, click Activate to activate the IDP.
  10. Click Finish.